Explore the full ebook collection and download it now at textbookfull.

com

Information Security Planning A Practical Approach

2nd Edition Susan Lincke

https://textbookfull.com/product/information-security-
planning-a-practical-approach-2nd-edition-susan-lincke/

OR CLICK HERE

DOWLOAD EBOOK

Browse and Get More Ebook Downloads Instantly at https://textbookfull.com

Click here to visit textbookfull.com and download textbook now
 Your digital treasures (PDF, ePub, MOBI) await
Download instantly and pick your perfect format...

Read anywhere, anytime, on any device!

Information Security Planning A Practical Approach 2nd

Edition Lincke

https://textbookfull.com/product/information-security-planning-a-
practical-approach-2nd-edition-lincke/

textbookfull.com

Practical Information Security Management A Complete Guide

to Planning and Implementation 1st Edition Tony Campbell
(Auth.)
https://textbookfull.com/product/practical-information-security-
management-a-complete-guide-to-planning-and-implementation-1st-
edition-tony-campbell-auth/
textbookfull.com

Mobile Phone Security and Forensics A Practical Approach

2nd Edition Iosif I. Androulidakis (Auth.)

https://textbookfull.com/product/mobile-phone-security-and-forensics-
a-practical-approach-2nd-edition-iosif-i-androulidakis-auth/

textbookfull.com

Building a Practical Information Security Program 1st

Edition Jason Andress

https://textbookfull.com/product/building-a-practical-information-
security-program-1st-edition-jason-andress/

textbookfull.com
Practical Information Security: A Competency-Based
Education Course 1st Edition Izzat Alsmadi

https://textbookfull.com/product/practical-information-security-a-
competency-based-education-course-1st-edition-izzat-alsmadi/

textbookfull.com

Modern Raman Spectroscopy a practical approach 2nd Edition

Ewen Smith

https://textbookfull.com/product/modern-raman-spectroscopy-a-
practical-approach-2nd-edition-ewen-smith/

textbookfull.com

Practical Hepatic Pathology: A Diagnostic Approach 2nd

Edition Romil Saxena

https://textbookfull.com/product/practical-hepatic-pathology-a-
diagnostic-approach-2nd-edition-romil-saxena/

textbookfull.com

Cognitive Screening Instruments A Practical Approach 2nd

Edition A. J. Larner (Eds.)

https://textbookfull.com/product/cognitive-screening-instruments-a-
practical-approach-2nd-edition-a-j-larner-eds/

textbookfull.com

Information Governance for Healthcare Professionals: A

Practical Approach 1st Edition Robert F. Smallwood
(Author)
https://textbookfull.com/product/information-governance-for-
healthcare-professionals-a-practical-approach-1st-edition-robert-f-
smallwood-author/
textbookfull.com
Susan Lincke

Information Security Planning

A Practical Approach
2nd ed. 2024
Susan Lincke
University of Wisconsin-Parkside, Kenosha, WI, USA

ISBN 978-3-031-43117-3 e-ISBN 978-3-031-43118-0

https://doi.org/10.1007/978-3-031-43118-0

© The Editor(s) (if applicable) and The Author(s), under exclusive

license to Springer Nature Switzerland AG 2024

This work is subject to copyright. All rights are solely and exclusively
licensed by the Publisher, whether the whole or part of the material is
concerned, specifically the rights of translation, reprinting, reuse of
illustrations, recitation, broadcasting, reproduction on microfilms or in
any other physical way, and transmission or information storage and
retrieval, electronic adaptation, computer software, or by similar or
dissimilar methodology now known or hereafter developed.

The use of general descriptive names, registered names, trademarks,

service marks, etc. in this publication does not imply, even in the
absence of a specific statement, that such names are exempt from the
relevant protective laws and regulations and therefore free for general
use.

The publisher, the authors, and the editors are safe to assume that the
advice and information in this book are believed to be true and accurate
at the date of publication. Neither the publisher nor the authors or the
editors give a warranty, expressed or implied, with respect to the
material contained herein or for any errors or omissions that may have
been made. The publisher remains neutral with regard to jurisdictional
claims in published maps and institutional affiliations.

This Springer imprint is published by the registered company Springer

Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham,
Switzerland
Preface: How to Use This Book
This book is useful in organizational security planning. This text was
written for people who are not computer experts, including business
managers or owners with no previous IT background, or overworked IT
staff and students, who are looking for a shortcut in understanding and
designing security. The text has examples to help you understand each
required step within the workbook. The best design will eventually
involve both business and IT/security people.
This second edition of the book is an international edition, covering
the worldwide standard: Payment Card Industry Data Security
Standard (PCI DSS), the European GDPR, and American security laws
with a special chapter on HIPAA/HITECH. This edition also has
chapters on data privacy, forensic analysis, advanced networks (cloud
and zero trust), ethics, and an expanded section on secure software.
The associated Security Workbook has been designed to guide
security neophytes through the security planning process. You may edit
this Microsoft Word version of the Security Workbook for your own
organization’s use. This tool is available from your text download site or
the book’s web site at https://​sn.​pub/​lecturer-material.
This book can be used out of order, although it is recommended that
you read Part I to understand security threats, before proceeding to
later parts. Applicable chapters in Part V on regulation (European
GDPR and US diverse laws) is also a good way to understand the
security challenges and prioritize your required planning. Following an
understanding of the threats, PCI DSS requirements and applicable
regulation, Chap. 5 on Business Continuity and Chap. 7 on Information
Security are very important before proceeding to Chap. 8 on Network
Security and later. While you may execute the chapters out of order,
each applicable chapter is important in making your organization
attack-resistant.
Optional topics may be applicable to your organization. Part VI—
Developing Secure Software—is only applicable for software engineers.
Since this is an international edition, laws for nations outside your
home country may or may not be applicable, depending on where you
do business. The forensic analysis, information privacy, cloud/zero
trust, and governance topics may be applicable depending on your
organizational role and technical abilities, and your company’s
regulation and network configuration.
Advanced sections within some chapters are optional reading and
not absolutely necessary to develop initial security plans. They offer a
broader knowledge base to understand the security environment and
address relevant background topics that every security professional
should know.
It is important to recognize that even large well-funded
organizations with full-time professional security staff cannot fully
secure their networks and computers. The best they can do is to make
the organization a very difficult target. The problem with security is
that the attacker needs to find one hole, while the defender needs to
close all holes—an impossibility. However, with this text you are well
on your way to making your organization attack-resistant.
This book guides security planning for a simple-to-medium level
security installation. After your design is done, you must implement
your plan! While you can do much security planning without
IT/security expertise, eventually IT experts are needed to implement
the technical aspects of any plan. It will be useful at that time to discuss
your security design with your IT specialists, be they in-house or
external. Alternatively, if you are technical, you will need cooperation
from business management to understand where sensitive data lies and
regulatory concerns, in order to plan organizational security well.
For organizations requiring a high level of security, such as banks
and military, this text is a start but is insufficient by itself. This book is a
stepping stone also for organizations that must adhere to a high level of
security regulation and standards. The best implementation can start
with this book, but must also address each item of each regulation or
standard your organization must adhere to.

For the Educator

This book has aspects for course differentiation, to be useful to the
professional, technical, business, and potentially medical educational
communities; and also from lower level to introductory graduate
courses.
 For the security professional or service-learning educator, some
chapters can be read and performed out of order (or in order of reader
priority). The prerequisite understanding is always described at the
beginning of each section and the beginning of each chapter.
Each chapter ends with a small set of questions and one or more
case study exercises. The questions are meant for simpler levels of
sophistication, such as a review of vocabulary, web research into more
resources, and application of the workbook for varying industries and
security regulations.
The more sophisticated course can delve into a longitudinal case
study, either in an industry of the student groups’ choosing or on the
Health First Doctor’s Office, which must adhere to HIPAA or GDPR.
These case studies use the Security Workbook for organizational
security planning. The case study can be used as group homework or
active learning exercise in class. Alternatively, students can use the
Security Workbook for service learning purposes, working with real
organizational partners in the community.
For technically minded instructors and students, there is a section
on Secure Software, covering threats, secure development processes,
and secure designs using agile (evil user stories) or traditional (UML)
styles. A special set of case studies are available just for software
developers to use in combination with a Security Requirements
Document for secure software planning.

Addressing Educational Criteria

For American universities wishing to achieve a National Security
Agency (NSA) designation, this book attempts to address the Center of
Academic Excellence Cyber Defense (CAE-CD) plan for 2020, including
some Mandatory and Optional Knowledge Units (KU). While the book
has not been submitted or approved by the NSA, the author has
attempted to address each item in their list, to simplify the
accreditation process. The book attempts to cover the entirety of the
CAE-CD Nontechnical Core requirements. Often ‘Advanced’ sections
cover more sophisticated topics beyond security planning. Very
technical subjects (e.g., programming, networks, operating systems) are
meant to be covered in other courses. CAE-CD Knowledge Units
addressed include:
Foundational: Cybersecurity Principles
Technical Core: Network Defense
Nontechnical Core: Cyber Threats, Cybersecurity Planning and
Management, Policy, Legal, Ethics, and Compliance, Security Program
Management, Security Risk Analysis
Optional KUs: Basic Cyber Operations, Cyber Crime, Cybersecurity
Ethics, Fraud Prevention and Management, IA Compliance, Life-Cycle
Security, Privacy
Optional KUs at Introductory Level: Cloud Computing, Digital
Forensics, Software Assurance, Secure Programming Practices
The last category, Optional KUs at Introductory Level, introduces the
vast majority of topics in the KU but generally lacks one or more deeply
technical exercises that are required as outcomes.
The text also meets most 2013 ACM Information Assurance and
Security “Core” requirements for Computer Science, including
Foundational Concepts, Principles of Secure Design, Defensive
Programming, Threats and Attacks, and some of Network Security.
Addressed electives include Security Policy, Secure S/W Engineering,
and most of Web Security. The mapping of requirements to chapters is
outlined on the companion web site.
Finally, the base of this text is derived from ISACA’s Certified
Information Systems Auditor® (CISA) and Certified Information
Security Manager® (CISM) study guides related to security. Other parts
of these guides are generally covered by other courses, such as project
management, networking, and software engineering. Students may
pass these exams with additional study, particularly using ISACA’s CISA
or CISM question disks.
Kenosha, WI, USA
Teaching Aides for the Security Instructor
Many materials are available with this text for your teaching use.
Instructor/student materials are included on the companion web site,
at https://​sn.​pub/​lecturer-material. Extra materials include the
following:
1. Lecture PowerPoints: PowerPoint lectures include end-of-lecture
questions for discussion in class. These questions are patterned
after ISACA’s CISA and CISM questions.

2. Security Workbook: The security workbook guides student teams

through a design. There are two ways for student teams to develop
a security plan. Option 1: designs a hypothetical organization of
student teams’ choosing, e.g., in retail, hospitality, government,
healthcare, financial, or software services. This has the advantage
that students can contrast security plans for different types of
businesses in the same course, through student presentations.
Option 2: The Health First Case Study is a detailed case study. This
has the advantage that details are available for the business.

3. Health First Case Study, Security Workbook, and Solution: A case

study involving security planning for a hypothetical Health First
doctor’s office is available for classroom use. Each chapter on
security design in this text has at least one associated case study to
choose from, within the Health First Case Study. This case study
includes discussion by the Health First employees, discussing the
business scenario. The Security Workbook guides students through
the security process. A solution is available on the companion web
site for instructors. If you choose to do the case study, it is helpful to
understand/present the applicable American Health Insurance
Portability and Accountability Act (HIPAA) regulation or European
GDPR before starting the case study.

4. Health First Requirements Document Case Study: The Secure

Software chapter enthuses students who intend to be software or
web developers. The Health First Case Study includes cases where
 students add security to a professional Requirements Document. A
security-poor Requirements Document is available for download.
5. Instructor Guide: There is guide to how to use this case study in
your classroom. You may also use the Security Workbook as a
service learning exercise with small businesses, who often welcome
the free help, if you choose.

Disclaimer
The author and publisher do not warrant or guarantee that the
techniques contained in these works will meet your requirements. The
author is not liable for any inaccuracy, error, or omission, regardless of
cause, in the work or for any damages resulting there from. Under no
circumstances shall the author be liable for any direct, indirect,
incidental, special, punitive, consequential, or similar damages that
result from the use of, or inability to use, these works.
Susan Lincke
Acknowledgments
Many thanks go to people who used or reviewed the materials, or
assisted in the development of the case study for the first and/or
second edition. They include Matt McPherson, Viji Ramasamy, Tony
Aiello, Danny Hetzel, Stephen Hawk, David Green, Heather Miles, Joseph
Baum, Mary Comstock, Craig Baker, Todd Burri, Tim Dorr, Tim Knautz,
Brian Genz, LeRoy Foster, Misty Lowery, and Natasha Ravnikar, as well
as the University of Wisconsin-Parkside for funding my sabbatical for
the first edition. Thanks also to the National Science Foundation, who
funded the development of the workbook and case study (though this
work does not necessarily represent their views). Finally, thanks to the
organizations and people who worked with my students in service
learning projects and who must remain anonymous.
The case of Einstein University represented in this text is purely
fictional and does not represent the security plan of any actual
university.
Kenosha, WI, USA

Susan Lincke
Contents
Part I The Problem of Security
1 Security Awareness:​Brave New World
1.​1 With Security, Every Person Counts
1.​2 Attackers and Motives
1.​2.​1 Cybercrime
1.​2.​2 Espionage
1.​2.​3 Information Warfare
1.​3 Criminal Techniques to Enter, Investigate, and Persist in a
Network
1.​4 Protecting Yourself
1.​5 Questions
References
2 Combatting Fraud
2.​1 Internal Fraud
2.​1.​1 Defenses Against Internal Fraud
2.​1.​2 Recognizing Fraud
2.​2 External Fraud
2.​2.​1 Identity Theft
2.​2.​2 Social Engineering
2.​2.​3 Business Email Compromise
2.​2.​4 Consumer Fraud
2.​2.​5 Receipt, Check, and Money Order Scams
2.​2.​6 Developing an Action Plan
2.​3 Advanced:​A Fraud Investigation
2.​4 Questions and Problems
 2.​4.​1 Health First Case Study Problems
References
3 Complying with the PCI DSS Standard
3.​1 Applicability
3.​2 Background and Threats
3.​3 General Requirements
3.​3.​1 Definitions
3.​3.​2 PCI DSS Requirements
3.​3.​3 Additional Requirements for Sophisticated
Configurations
3.​3.​4 The PCI DSS Approval Process and Annual
Assessments
3.​3.​5 Other Security Concerns
3.​4 Specific Vendor Requirements
3.​5 Advanced:​Software Security Framework
3.​6 Questions and Problems
References
Part II Strategic Security Planning
4 Managing Risk
4.​1 Risk Management Overview
4.​1.​1 Step 1:​Identify Risks
4.​1.​2 Step 2:​Determine Loss Due to Threats
4.​1.​3 Step 3:​Estimate Likelihood of Exploitation
4.​1.​4 Step 4:​Compute Expected Loss
4.​1.​5 Step 5:​Treat Risk
4.​1.​6 Step 6:​Monitor (and Communicate) Risk
4.​2 The Ethics of Risk
 4.​3 Advanced:​Financial Analysis with Business Risk
4.​4 Advanced:​Risk for Larger Organizations
4.​5 Questions and Problems
4.​5.​1 Health First Case Study Problems
References
5 Addressing Business Impact Analysis and Business Continuity
5.​1 Business Impact Analysis
5.​1.​1 Step 1:​Define Threats Resulting in Business
Disruption
5.​1.​2 Step 2:​Define Recovery Objectives
5.​2 Step 3:​Business Continuity:​Plan for Recovery
5.​2.​1 Recovery Sites
5.​2.​2 High-Availability Solutions
5.​2.​3 Disk Backup and Recovery
5.​3 Step 4:​Preparing for IT Disaster Recovery
5.​4 Advanced:​Business Continuity for Mature Organizations
5.​5 Advanced:​Considering Big Data Distributed File Systems
5.​6 Questions
5.​6.​1 Health First Case Study Problems
References
6 Governing:​Policy, Maturity Models and Planning
6.​1 Documenting Security:​Policies, Standards, Procedures and
Guidelines
6.​2 Maturing the Organization via Capability Maturity Models
and COBIT
6.​3 Strategic, Tactical and Operational Planning
6.​4 Allocating Security Roles and Responsibilities​
 6.​5 Questions
6.​5.​1 Health First Case Study Problems
References
Part III Tactical Security Planning
7 Designing Information Security
7.​1 Important Concepts and Roles
7.​2 Step 1:​Classify Data for CIA
7.​3 Step 2:​Selecting Controls
7.​3.​1 Selecting AAA Controls
7.​3.​2 Authentication:​Login or Identification
7.​3.​3 Authorization:​Access Control
7.​3.​4 Accountability:​Logs
7.​3.​5 Audit
7.​4 Step 3:​Allocating Roles and Permissions
7.​5 Advanced:​Administration of Information Security
7.​6 Advanced:​Designing Highly Secure Environments
7.​6.​1 Bell and La Padula Model (BLP)
7.​7 Questions
7.​7.​1 Health First Case Study Problems
References
8 Planning for Network Security
8.​1 Important Concepts
8.​1.​1 How Crackers Attack
8.​1.​2 Filtering Packets to Restrict Network Access
8.​2 Defining the Network Services
 8.​2.​1 Step 1:​Inventory Services and Devices:​Who, What,
Where?​
8.​2.​2 Step 2:​Determine Sensitivity of Services
8.​2.​3 Step 3:​Allocate Network Zones
8.​2.​4 Step 4:​Define Controls
8.​3 Defining Controls
8.​3.​1 Confidentiality Controls
8.​3.​2 Authenticity &​Non-Repudiation
8.​3.​3 Integrity Controls
8.​3.​4 Anti-Hacker Controls
8.​4 Defining the Network Architecture
8.​4.​1 Step 5:​Draw the Network Diagram
8.​5 Advanced:​How it Works
8.​6 Questions
8.​6.​1 Health First Case Study Problems
References
9 Designing Physical Security
9.​1 Step 1:​Inventory Assets and Allocate Sensitivity/​Criticality
Class to Rooms
9.​2 Step 2:​Selecting Controls for Sensitivity Classifications
9.​2.​1 Building Entry Controls
9.​2.​2 Room Entry Controls
9.​2.​3 Computer and Document Access Control
9.​2.​4 The Public Uses Computers
9.​3 Step 3:​Selecting Availability Controls for Criticality
Classifications
9.​4 Questions and Problems
 9.​4.​1 Health First Case Study Problems
References
10 Attending to Information Privacy
10.​1 Important Concepts and Principles
10.​2 Step 1:​Defining a Data Dictionary with Primary Purpose
10.​3 Step 2:​Performing a Privacy Impact Assessment
10.​3.​1 Defining Controls
10.​3.​2 Anonymizing Data
10.​4 Step 3:​Developing a Policy and Notice of Privacy Practices
10.​5 Advanced:​Big Data:​Data Warehouses
10.​6 Questions
References
11 Planning for Alternative Networks:​Cloud Security and Zero
Trust
11.​1 Important Concepts
11.​1.​1 Cloud Deployment Models
11.​2 Planning a Secure Cloud Design
11.​3 Step 1:​Define Security and Compliance Requirements
11.​4 Step 2:​Select a Cloud Provider and Service/​Deployment
Model
11.​5 Step 3:​Define the Architecture
11.​6 Step 4–6:​Assess and Implement Security Controls in the
Cloud
11.​7 Step 7:​Monitor and Manage Changes in the Cloud
11.​8 Advanced:​Software Development with Dev-Sec-Ops
11.​9 Advanced:​Using Blockchain
11.​10 Advanced:​Zero Trust
 11.​10.​1 Important Concepts
11.​10.​2 Zero Trust Architecture
11.​11 Zero Trust Planning
11.​11.​1 Network and Cloud Checklist for Zero Trust
11.​12 Questions
References
12 Organizing Personnel Security
12.​1 Step 1:​Controlling Employee Threats
12.​2 Step 2:​Allocating Responsibility to Roles
12.​3 Step 3:​Define Training for Security
12.​4 Step 4:​Designing Tools to Manage Security
12.​4.​1 Code of Conduct and Acceptable Use Policy
12.​4.​2 Configuration Management and Change Control
12.​4.​3 Service Level Agreements
12.​5 Questions and Problems
12.​5.​1 Health First Case Study Problems
References
Part IV Planning for Detect, Respond, Recover
13 Planning for Incident Response
13.​1 Important Statistics and Concepts
13.​2 Developing an Incident Response Plan
13.​2.​1 Step 1:​Preparation Stage
13.​2.​2 Step 2:​Identification Stage
13.​2.​3 Step 3:​Containment and Escalation Stage
13.​2.​4 Step 4:​Analysis and Eradication Stage
 13.​2.​5 Step 5:​Notification and Ex-post Response Stages (If
Necessary)
13.​2.​6 Step 6:​Recovery and Lessons Learned Stages
13.​3 Preparing for Incident Response
13.​4 Questions and Problems
13.​4.​1 Health First Case Study Problems
References
14 Defining Security Metrics
14.​1 Implementing Business-Driven Metrics
14.​2 Implementing Technology-Driven Metrics
14.​3 Questions and Problems
14.​3.​1 Health First Case Study Problems
References
15 Performing an Audit or Security Test
15.​1 Testing Internally and Simple Audits
15.​1.​1 Step 1:​Gathering Information, Planning the Audit
15.​1.​2 Step 2:​Reviewing Internal Controls
15.​1.​3 Step 3:​Performing Compliance and Substantive Tests
15.​1.​4 Step 4:​Preparing and Presenting the Report
15.​2 Example:​PCI DSS Audits and Report on Compliance
15.​3 Professional and External Auditing
15.​3.​1 Audit Resources
15.​3.​2 Sampling
15.​3.​3 Evidence and Conclusions
15.​3.​4 Variations in Audit Types
15.​4 Questions and Problems
 15.​4.​1 Health First Case Study Problems
References
16 Preparing for Forensic Analysis
16.​1 Important Concepts
16.​2 High-Level Forensic Analysis:​Investigating an Incident
16.​2.​1 Establishing Forensic Questions
16.​2.​2 Collecting Important Information
16.​3 Technical Perspective:​Methods to Collect Evidence
16.​3.​1 Collecting Volatile Information Using a Jump Kit
16.​3.​2 Collecting and Analyzing Important Logs
16.​3.​3 Collecting and Forensically Analyzing a Disk Image
16.​4 Legal Perspective:​Establishing Chain of Custody
16.​5 Advanced:​The Judicial Procedure
16.​6 Questions and Problems
References
Part V Complying with National Regulations and Ethics
17 Complying with the European Union General Data Protection
Regulation (GDPR)
17.​1 Background
17.​2 Applicability
17.​3 General Requirements
17.​4 Rights Afforded to Data Subjects
17.​4.​1 Right of Access by the Data Subject (Article 15)
17.​4.​2 Right to Rectification (Article 16)
17.​4.​3 Right to Erasure (‘Right to Be Forgotten’) (Article 17)
17.​4.​4 Right to Restriction of Processing (Article 18)
 17.​4.​5 Right to Data Portability (Article 20)
17.​4.​6 Right to Object to Processing (Article 21)
17.​4.​7 Right to Not Be Subject to a Decision Based Solely on
Automated Processing (Article 22)
17.​4.​8 Rights of Remedies, Liabilities and Penalties (Articles
77–79)
17.​4.​9 Privilege of Notification (Article 13, 14)
17.​4.​10 Privilege of Communicated Response (Article 12)
17.​4.​11 Privilege of Protection of Special Groups (Article 9,
10)
17.​5 Restrictions to Rights (Article 23)
17.​6 Controller Processing Requirements
17.​6.​1 Risk Management and Security
17.​6.​2 Breach Notification
17.​6.​3 Penalties
17.​6.​4 Certification and Adequacy Decisions
17.​6.​5 Management and Third-Party Relationships
17.​7 Actual GDPR Cases
17.​8 Questions and Problems
References
18 Complying with U.​S.​Security Regulations
18.​1 Security Laws Affecting U.​S.​Organizations
18.​1.​1 State Breach Notification Laws
18.​1.​2 HIPAA/​HITECH Act, 1996, 2009
18.​1.​3 Sarbanes-Oxley Act (SOX), 2002
18.​1.​4 Gramm–Leach–Bliley Act (GLB), 1999
18.​1.​5 Identity Theft Red Flags Rule, 2007
 18.​1.​6 Family Educational Rights and Privacy Act (FERPA),
1974, and Other Child Protection Laws
18.​1.​7 Federal Information Security Management Act
(FISMA), 2002
18.​1.​8 California Consumer Privacy Act (CCPA)
18.​2 Computer Abuse Laws
18.​3 Other Laws
18.​4 Final Considerations
18.​5 Advanced:​Understanding the Context of Law
18.​6 Questions and Problems
References
19 Complying with HIPAA and HITECH
19.​1 Background
19.​2 Introduction and Vocabulary
19.​3 HITECH Breach Notification
19.​4 HIPAA Privacy Rule
19.​4.​1 Patient Privacy and Rights
19.​5 HIPAA Security Rule
19.​5.​1 Administrative Requirements
19.​5.​2 Physical Security
19.​5.​3 Technical Controls
19.​6 Recent and Proposed Changes in Regulation
19.​7 Questions and Problems
19.​7.​1 Health First Case Study Problems
References
20 Maturing Ethical Risk
20.​1 Important Concepts
 20.​2 Raising Ethical Maturity through an Ethical Risk
Framework
20.​2.​1 Raising Self-centered Ethical Concern
20.​2.​2 Adhering to Regulation
20.​2.​3 Respecting Stakeholder Concerns
20.​2.​4 Addressing Societal Concerns
20.​3 Questions
References
Part VI Developing Secure Software
21 Understanding Software Threats and Vulnerabilities
21.​1 Important Concepts and Goals
21.​2 Threats to Input
21.​2.​1 Recognize Injection Attacks
21.​2.​2 Control Cross-site scripting (XSS)
21.​2.​3 Authentication and Access Control
21.​2.​4 Recognize Cross-Site Request Forgery (CSRF)
21.​2.​5 Minimize Access
21.​3 Implement Security Features
21.​4 Testing Issues
21.​5 Deployment Issues
21.​5.​1 Validate and Control the Configuration
21.​5.​2 Questions and Problems
References
22 Defining a Secure Software Process
22.​1 Important Concepts
22.​1.​1 Software Security Maturity Models
 22.​1.​2 The Secure Software Group
22.​2 Secure Development Life Cycle
22.​2.​1 Coding
22.​2.​2 Testing
22.​2.​3 Deployment, Operations, Maintenance and Disposal
22.​3 Secure Agile Development
22.​3.​1 Designing Agile Style:​Evil User Stories
22.​4 Example Secure Process:​PCI Software Security
Framework
22.​5 Security Industry Standard:​Common Criteria
22.​6 Questions and Problems
22.​6.​1 Health First Case Study Problems
References
23 Planning for Secure Software Requirements and Design with
UML
23.​1 Important Concepts and Principles in Secure Software
Design
23.​2 Evaluating Security Requirements
23.​2.​1 Step 1:​Identify Critical Assets
23.​2.​2 Step 2:​Define Security Goals
23.​2.​3 Step 3:​Identify Threats
23.​2.​4 Step 4:​Analyze Risks
23.​2.​5 Step 5:​Define Security Requirements
23.​2.​6 Specify Reliability, Robustness
23.​3 Analysis/​Design
23.​3.​1 Static Model
23.​3.​2 Dynamic Model
23.​4 Example Secure Design:​PCI Software Security Framework
23.​5 Questions and Problems
23.​5.​1 Health First Case Study Problems
References
Part I
The Problem of Security
This section informs why security is an issue that must be addressed. It
delves into current problem areas that certain industries may
specifically need to address, related to hackers and malware (Chap. 1),
social engineering and fraud (Chap. 2), and payment card standards,
which organizations need to adhere to if they accept credit cards (Chap.
3). Regulation relating to security is also an area that needs to be
addressed, but is in Part V, outlining United States and European Union
regulation. Understanding inherent threats and security requirements
well will help in later sections to define your organization’s specific
security needs. Therefore, as you read through this section, consider
which attacks might affect your industry and organization, and as part
of the planning process, note them down.
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2024
S. Lincke, Information Security Planning
https://doi.org/10.1007/978-3-031-43118-0_1

1. Security Awareness: Brave New

World
Susan Lincke1
(1) University of Wisconsin-Parkside, Kenosha, WI, USA

Susan Lincke
Email: [email protected]

When Leon Panetta, former U.S. Secretary of Defense, drive their

internet-connected Lexus, he has careful (likely semi-serious)
instructions for his passenger: “I tell my wife, ‘Now be careful what
you say.’” – Nicole Perlroth, author, They Tell Me This Is How the
World Ends, and NY Times cybersecurity writer [1]

Computer security is a challenge. An attacker only needs to find one

hole…but a defender needs to close all holes. Since it is impossible to
close all holes, you can only hope to close most holes, layer defenses
(like you layer clothes when going out in the freezing cold), and hope
that the intruder will find an easier target elsewhere.
How do you close most holes? The first step is to educate yourself
about security and ways crackers attack. The next step is to ensure that
all employees understand their roles in guarding security. This chapter
is about educating yourself about malware, hacking and the motives of
computer attackers, and how to start to defend the simplest of devices:
your mobile and home computers.

1.1 With Security, Every Person Counts

Imagine you open 20+ emails daily. Today you receive one with a
promising video. You click to download it. Most emails are innocuous,
but this one contains hidden malware. While you enjoy your video, the
video is also secretly executing a worm and turning your computer into
a zombie or copying password files. You are now, unknowingly, infected
(but the video was cool!) Alternatively, an infected email, called a phish,
may claim to be from someone in your organization sending you an
infected Word or Excel document, but appearing to be a routine
business email. Installing malware within a network is only the first
step that an attacker would take in order to get a foothold in the
network. But their end goal is likely to be:
exfiltrating (or downloading) confidential or proprietary business
or government information for espionage, competitive and/or
financial cybercrime reasons;
financial extortion through damaging your files, overwhelming your
servers, and/or promising to publish confidential data if their fee is
not paid;
disruption of business, by damaging equipment or overwhelming
webpages e.g., for information warfare purposes;
financial theft through impersonating a vendor, increasing
advertising clicks, or other fraudulent activities (covered in Chap. 2).

1.2 Attackers and Motives

Business managers, a computer programmers, or others employed in
an IT/Security field, should be aware of how an organization can be
attacked, beyond user security awareness. Threats may arise from
disgruntled employees or contracts, political enemies, financially-
motivated criminals and spies or spying governments. This chapter
reviews each of these in turn. Consider which of these might be
prioritized as risks for your organization.

1.2.1 Cybercrime
In most attacks, the attacker has criminal intent. The attacker’s goal
may be extortion: encrypting crucial disks and demanding payment to
unencrypt it. Ransomware (e.g., CryptoLocker) can corrupt backups
Random documents with unrelated
content Scribd suggests to you:
path: the post of care-taker at some provincial library, country
stationer, registrar of births and deaths, and many others had been
discussed and dismissed in face of the unmanageable fact that her
father was serenely happy and comfortable as a butler, looking with
dread at any hint of change short of perfect retirement. Since, then,
she could not offer him this retirement, what right had she to
interfere with his mode of life at all? In no other social groove on
earth would he thrive as he throve in his present one, to which he
had been accustomed from boyhood, and where the remuneration
was actually greater than in professions ten times as stately in
name.
For the rest, too, Ethelberta had indulged in hopes, the high
education of the younger ones being the chief of these darling
wishes. Picotee wanted looking to badly enough. Sol and Dan
required no material help; they had quickly obtained good places of
work under a Pimlico builder; for though the brothers scarcely
showed as yet the light-fingered deftness of London artizans, the
want was in a measure compensated by their painstaking, and
employers are far from despising country hands who bring with
them strength, industry, and a desire to please. But their sister had
other lines laid down for them than those of level progress; to start
them some day as masters instead of men was a long-cherished
wish of Ethelberta's.
Thus she had quite enough machinery in her hands to keep
decently going, even were she to marry a man who would take a
kindly view of her peculiar situation, and afford her opportunities of
strengthening her powers for her kindred's good. But what would be
the result if, eighteen months hence-the date at which her
occupation of the house in Exonbury Crescent came to an end-she
were still a widow, with no accumulated capital, her platform talents
grown homely and stunted through narrow living, and her tender
vein of poesy completely dispersed by it? To calmly relinquish the
struggle at that point would have been the act of a stoic, but not of
a woman, particularly when she considered the children, the hopes
of her mother for them, and her own condition-though this was
least-under the ironical cheers which would greet a slip back into the
mire.
It here becomes necessary to turn for a moment to Master Joey
Chickerel, Ethelberta's troublesome page and brother. The face of
this juvenile was that of a Graeco-Roman satyr to the furthest
degree of completeness. Viewed in front, the outer line of his upper
lip rose in a double arch nearly to his little round nostrils, giving an
expression of a jollity so delicious to himself as to compel a
perpetual drawing in of his breath. During half-laughs his lips parted
in the middle, and remained closed at the corners, which were small
round pits like his nostrils, the same form being repeated as dimples
a little further back upon his cheek. The opening for each eye
formed a sparkling crescent, both upper and under lid having the
convexity upwards.
But during some few days preceding the dinner-party at the
Doncastles' all this changed. The luxuriant curves departed, a
compressed lineality was to be observed everywhere, the pupils of
his eyes seemed flattened, and the carriage of his head was limp
and sideways. This was a feature so remarkable and new in him that
Picotee noticed it, and was lifted from the melancholy current of her
own affairs in contemplating his.
'Well, what's the matter?' said Picotee.
'O-nothing,' said Joey.
'Nothing? How can you say so?'
'The world's a holler mockery-that's what I say.'
'Yes, so it is, to some; but not to you,' said Picotee, sighing.
'Don't talk argument, Picotee. I only hope you'll never feel what I
feel now. If it wasn't for my juties here I know what I'd do; I'd 'list,
that's what I'd do. But having my position to fill here as the only
responsible man-servant in the house, I can't leave.'
'Has anybody been beating you?'
'Beating! Do I look like a person who gets beatings? No, it is a
madness,' said Joey, putting his hand upon his chest. 'The case is, I
am in love.'
'O Joey, a boy no bigger than you are!' said Picotee reprovingly.
Her personal interest in the passion, however, provoked her to
inquire, in the next breath, 'Who is it? Do tell, Joey.'
'No bigger than I! What hev bigness to do with it? That's just like
your old-fashioned notions. Bigness is no more wanted in courting
nowadays than in soldiering or smoking or any other duty of man.
Husbands is rare; and a promising courter who means business will
fetch his price in these times, big or small, I assure ye. I might have
been engaged a dozen times over as far as the bigness goes. You
should see what a miserable little fellow my rival is afore you talk
like that. Now you know I've got a rival, perhaps you'll own there
must be something in it.'
'Yes, that seems like the real thing. But who is the young woman?'
'Well, I don't mind telling you, Picotee. It is Mrs. Doncastle's new
maid. I called to see father last night, and had supper there; and
you should have seen how lovely she were-eating sparrowgrass
sideways, as if she were born to it. But, of course, there's a rival-
there always is-I might have known that, and I will crush him!'
'But Mrs. Doncastle's new maid-if that was she I caught a glimpse
of the other day-is ever so much older than you-a dozen years.'
'What's that to a man in love? Pooh-I wish you would leave me,
Picotee; I wants to be alone.'
A short time after this Picotee was in the company of Ethelberta,
and she took occasion to mention Joey's attachment. Ethelberta
grew exceedingly angry directly she heard of it.
'What a fearful nuisance that boy is becoming,' she said. 'Does
father know anything of this?'
'I think not,' said Picotee. 'O no, he cannot; he would not allow
any such thing to go on; she is so much older than Joey.'
'I should think he wouldn't allow it! The fact is I must be more
strict about this growing friendliness between you all and the
Doncastle servants. There shall be absolutely no intimacy or visiting
of any sort. When father wants to see any of you he must come
here, unless there is a most serious reason for your calling upon
him. Some disclosure or reference to me otherwise than as your
mistress, will certainly be made else, and then I am ruined. I will
speak to father myself about Joey's absurd nonsense this evening. I
am going to see him on another matter.' And Ethelberta sighed. 'I
am to dine there on Thursday,' she added.
'To dine there, Berta? Well, that is a strange thing! Why, father will
be close to you!'
'Yes,' said Ethelberta quietly.
'How I should like to see you sitting at a grand dinner-table,
among lordly dishes and shining people, and father about the room
unnoticed! Berta, I have never seen a dinner-party in my life, and
father said that I should some day; he promised me long ago.'
'How will he be able to carry out that, my dear child?' said
Ethelberta, drawing her sister gently to her side.
'Father says that for an hour and a half the guests are quite fixed
in the dining-room, and as unlikely to move as if they were trees
planted round the table. Do let me go and see you, Berta,' Picotee
added coaxingly. 'I would give anything to see how you look in the
midst of elegant people talking and laughing, and you my own sister
all the time, and me looking on like puss-in-the-corner.'
Ethelberta could hardly resist the entreaty, in spite of her recent
resolution.
'We will leave that to be considered when I come home to-night,'
she said. 'I must hear what father says.'
After dark the same evening a woman, dressed in plain black and
wearing a hood, went to the servants' entrance of Mr. Doncastle's
house, and inquired for Mr. Chickerel. Ethelberta found him in a
room by himself, and on entering she closed the door behind her,
and unwrapped her face.
'Can you sit with me a few minutes, father?' she said.
 'Yes, for a quarter of an hour or so,' said the butler. 'Has anything
happened? I thought it might be Picotee.'
'No. All's well yet. But I thought it best to see you upon one or
two matters which are harassing me a little just now. The first is,
that stupid boy Joey has got entangled in some way with the lady's-
maid at this house; a ridiculous affair it must be by all account, but it
is too serious for me to treat lightly. She will worm everything out of
him, and a pretty business it will be then.'
'God bless my soul! why, the woman is old enough to be his
mother! I have never heard a sound of it till now. What do you
propose to do?'
'I have hardly thought: I cannot tell at all. But we will consider
that after I have done. The next thing is, I am to dine here
Thursday-that is, to-morrow.'
'You going to dine here, are you?' said her father in surprise. 'Dear
me, that's news. We have a dinner-party to-morrow, but I was not
aware that you knew our people.'
'I have accepted the invitation,' said Ethelberta. 'But if you think I
had better stay away, I will get out of it by some means. Heavens!
what does that mean-will anybody come in?' she added, rapidly
pulling up her hood and jumping from the seat as the loud tones of
a bell clanged forth in startling proximity.
'O no-it is all safe,' said her father. 'It is the area door-nothing to
do with me. About the dinner: I don't see why you may not come.
Of course you will take no notice of me, nor shall I of you. It is to be
rather a large party. Lord What's-his-name is coming, and several
good people.'
'Yes; he is coming to meet me, it appears. But, father,' she said
more softly and slowly, 'how wrong it will be for me to come so close
to you, and never recognize you! I don't like it. I wish you could
have given up service by this time; it would have been so much less
painful for us all round. I thought we might have been able to
manage it somehow.'
 'Nonsense, nonsense,' said Mr. Chickerel crossly. 'There is not the
least reason why I should give up. I want to save a little money first.
If you don't like me as I am, you must keep away from me. Don't be
uneasy about my comfort; I am right enough, thank God. I can mind
myself for many a year yet.'
Ethelberta looked at him with tears in her eyes, but she did not
speak. She never could help crying when she met her father here.
'I have been in service now for more than seven-and-thirty years,'
her father went on. 'It is an honourable calling; and why should you
maintain me because you can earn a few pounds by your gifts, and
an old woman left you her house and a few sticks of furniture? If
she had left you any money it would have been a different thing, but
as you have to work for every penny you get, I cannot think of it.
Suppose I should agree to come and live with you, and then you
should be ill, or such like, and I no longer able to help myself? O no,
I'll stick where I am, for here I am safe as to food and shelter at any
rate. Surely, Ethelberta, it is only right that I, who ought to keep you
all, should at least keep your mother and myself? As to our position,
that we cannot help; and I don't mind that you are unable to own
me.'
'I wish I could own you-all of you.'
'Well, you chose your course, my dear; and you must abide by it.
Having put your hand to the plough, it will be foolish to turn back.'
'It would, I suppose. Yet I wish I could get a living by some simple
humble occupation, and drop the name of Petherwin, and be Berta
Chickerel again, and live in a green cottage as we used to do when I
was small. I am miserable to a pitiable degree sometimes, and sink
into regrets that I ever fell into such a groove as this. I don't like
covert deeds, such as coming here to-night, and many are necessary
with me from time to time. There is something without which
splendid energies are a drug; and that is a cold heart. There is
another thing necessary to energy, too-the power of distinguishing
your visions from your reasonable forecasts when looking into the
future, so as to allow your energy to lay hold of the forecasts only. I
begin to have a fear that mother is right when she implies that I
undertook to carry out visions and all. But ten of us are so many to
cope with. If God Almighty had only killed off three-quarters of us
when we were little, a body might have done something for the rest;
but as we are it is hopeless!'
'There is no use in your going into high doctrine like that,' said
Chickerel. 'As I said before, you chose your course. You have begun
to fly high, and you had better keep there.'
'And to do that there is only one way-that is, to do it surely, so
that I have some groundwork to enable me to keep up to the mark
in my profession. That way is marriage.'
'Marriage? Who are you going to marry?'
'God knows. Perhaps Lord Mountclere. Stranger things have
happened.'
'Yes, so they have; though not many wretcheder things. I would
sooner see you in your grave, Ethelberta, than Lord Mountclere's
wife, or the wife of anybody like him, great as the honour would be.'
'Of course that was only something to say; I don't know the man
even.'
'I know his valet. However, marry who you may, I hope you'll be
happy, my dear girl. You would be still more divided from us in that
event; but when your mother and I are dead, it will make little
difference.'
Ethelberta placed her hand upon his shoulder, and smiled
cheerfully. 'Now, father, don't despond. All will be well, and we shall
see no such misfortune as that for many a year. Leave all to me. I
am a rare hand at contrivances.'
'You are indeed, Berta. It seems to me quite wonderful that we
should be living so near together and nobody suspect the
relationship, because of the precautions you have taken.'
'Yet the precautions were rather Lady Petherwin's than mine, as
you know. Consider how she kept me abroad. My marriage being so
secret made it easy to cut off all traces, unless anybody had made it
a special business to search for them. That people should suspect as
yet would be by far the more wonderful thing of the two. But we
must, for one thing, have no visiting between our girls and the
servants here, or they soon will suspect.'
Ethelberta then laid down a few laws on the subject, and,
explaining the other details of her visit, told her father soon that she
must leave him.
He took her along the passage and into the area. They were
standing at the bottom of the steps, saying a few parting words
about Picotee's visit to see the dinner, when a female figure
appeared by the railing above, slipped in at the gate, and flew down
the steps past the father and daughter. At the moment of passing
she whispered breathlessly to him, 'Is that you, Mr. Chickerel?'
'Yes,' said the butler.
She tossed into his arms a quantity of wearing apparel, and
adding, 'Please take them upstairs for me-I am late,' rushed into the
house.
'Good heavens, what does that mean?' said Ethelberta, holding
her father's arm in her uneasiness.
'That's the new lady's-maid, just come in from an evening walk-
that young scamp's sweetheart, if what you tell me is true. I don't
yet know what her character is, but she runs neck and neck with
time closer than any woman I ever met. She stays out at night like
this till the last moment, and often throws off her dashing courting-
clothes in this way, as she runs down the steps, to save a journey to
the top of the house to her room before going to Mrs. Doncastle's,
who is in fact at this minute waiting for her. Only look here.'
Chickerel gathered up a hat decked with feathers and flowers, a
parasol, and a light muslin train-skirt, out of the pocket of the latter
tumbling some long golden tresses of hair.
'What an extraordinary woman,' said Ethelberta. 'A perfect
Cinderella. The idea of Joey getting desperate about a woman like
that; no doubt she has just come in from meeting him.'
 'No doubt-a blockhead. That's his taste, is it! I'll soon see if I can't
cure his taste if it inclines towards Mrs. Menlove.'
'Mrs. what?'
'Menlove; that's her name. She came about a fortnight ago.'
'And is that Menlove-what shall we do!' exclaimed Ethelberta. 'The
idea of the boy singling out her-why it is ruin to him, to me, and to
us all!'
She hastily explained to her father that Menlove had been Lady
Petherwin's maid and her own at some time before the death of her
mother-in-law, that she had only stayed with them through a three
months' tour because of her flightiness, and hence had learnt
nothing of Ethelberta's history, and probably had never thought at all
about it. But nevertheless they were as well acquainted as a lady
and her maid well could be in the time. 'Like all such doubtful
characters,' continued Ethelberta, 'she was one of the cleverest and
lightest-handed women we ever had about us. When she first came,
my hair was getting quite weak; but by brushing it every day in a
peculiar manner, and treating it as only she knew how, she brought
it into splendid condition.'
'Well, this is the devil to pay, upon my life!' said Mr. Chickerel, with
a miserable gaze at the bundle of clothes and the general situation
at the same time. 'Unfortunately for her friendship, I have snubbed
her two or three times already, for I don't care about her manner.
You know she has a way of trading on a man's sense of honour till it
puts him into an awkward position. She is perfectly well aware that,
whatever scrape I find her out in, I shall not have the conscience to
report her, because I am a man, and she is a defenceless woman;
and so she takes advantage of one's feeling by making me, or either
of the menservants, her bottle-holder, as you see she has done now.'
'This is all simply dreadful,' said Ethelberta. 'Joey is shrewd and
trustworthy; but in the hands of such a woman as that! I suppose
she did not recognize me.'
'There was no chance of that in the dark.'
 'Well, I cannot do anything in it,' said she. 'I cannot manage Joey
at all.'
'I will see if I can,' said Mr. Chickerel. 'Courting at his age, indeed-
what shall we hear next!'
Chickerel then accompanied his daughter along the street till an
empty cab passed them, and putting her into it he returned to the
house again.
 29. ETHELBERTA'S DRESSING-
ROOM-MR. DONCASTLE'S HOUSE
The dressing of Ethelberta for the dinner-party was an
undertaking into which Picotee threw her whole skill as tirewoman.
Her energies were brisker that day than they had been at any time
since the Julians first made preparations for departure from town;
for a letter had come to her from Faith, telling of their arrival at the
old cathedral city, which was found to suit their inclinations and
habits infinitely better than London; and that she would like Picotee
to visit them there some day. Picotee felt, and so probably felt the
writer of the letter, that such a visit would not be very practicable
just now; but it was a pleasant idea, and for fastening dreams upon
was better than nothing.
Such musings were encouraged also by Ethelberta's remarks as
the dressing went on.
'We will have a change soon,' she said; 'we will go out of town for
a few days. It will do good in many ways. I am getting so alarmed
about the health of the children; their faces are becoming so white
and thin and pinched that an old acquaintance would hardly know
them; and they were so plump when they came. You are looking as
pale as a ghost, and I daresay I am too. A week or two at Knollsea
will see us right.'
'O, how charming!' said Picotee gladly.
Knollsea was a village on the coast, not very far from Melchester,
the new home of Christopher; not very far, that is to say, in the eye
of a sweetheart; but seeing that there was, as the crow flies, a
stretch of thirty-five miles between the two places, and that more
than one-third the distance was without a railway, an elderly
gentleman might have considered their situations somewhat remote
from each other.
 'Why have you chosen Knollsea?' inquired Picotee.
'Because of aunt's letter from Rouen-have you seen it?'
'I did not read it through.'
'She wants us to get a copy of the register of her baptism; and
she is not absolutely certain which of the parishes in and about
Knollsea they were living in when she was born. Mother, being a
year younger, cannot tell of course. First I thought of writing to the
clergyman of each parish, but that would be troublesome, and might
reveal the secret of my birth; but if we go down there for a few
days, and take some lodgings, we shall be able to find out all about
it at leisure. Gwendoline and Joey can attend to mother and the
people downstairs, especially as father will look in every evening
until he goes out of town, to see if they are getting on properly. It
will be such a weight off my soul to slip away from acquaintances
here.'
'Will it?'
'Yes. At the same time I ought not to speak so, for they have been
very kind. I wish we could go to Rouen afterwards; aunt repeats her
invitation as usual. However, there is time enough to think of that.'
Ethelberta was dressed at last, and, beholding the lonely look of
poor Picotee when about to leave the room, she could not help
having a sympathetic feeling that it was rather hard for her sister to
be denied so small an enjoyment as a menial peep at a feast when
she herself was to sit down to it as guest.
'If you still want to go and see the procession downstairs you may
do so,' she said reluctantly; 'provided that you take care of your
tongue when you come in contact with Menlove, and adhere to
father's instructions as to how long you may stay. It may be in the
highest degree unwise; but never mind, go.'
Then Ethelberta departed for the scene of action, just at the hour
of the sun's lowest decline, when it was fading away, yellow and
mild as candle-light, and when upper windows facing north-west
reflected to persons in the street dissolving views of tawny cloud
with brazen edges, the original picture of the same being hidden
from sight by soiled walls and slaty slopes.
Before entering the presence of host and hostess, Ethelberta
contrived to exchange a few words with her father.
'In excellent time,' he whispered, full of paternal pride at the
superb audacity of her situation here in relation to his. 'About half of
them are come.'
'Mr. Neigh?'
'Not yet; he's coming.'
'Lord Mountclere?'
'Yes. He came absurdly early; ten minutes before anybody else, so
that Mrs. D. could hardly get on her bracelets and things soon
enough to scramble downstairs and receive him; and he's as nervous
as a boy. Keep up your spirits, dear, and don't mind me.'
'I will, father. And let Picotee see me at dinner if you can. She is
very anxious to look at me. She will be here directly.'
And Ethelberta, having been announced, joined the chamberful of
assembled guests, among whom for the present we lose sight of her.

Meanwhile the evening outside the house was deepening in tone,

and the lamps began to bHANDlink up. Her sister having departed,
Picotee hastily arrayed herself in a little black jacket and chip hat,
and tripped across the park to the same point. Chickerel had
directed a maid-servant known as Jane to receive his humbler
daughter and make her comfortable; and that friendly person, who
spoke as if she had known Picotee five-and-twenty years, took her
to the housekeeper's room, where the visitor deposited her jacket
and hat, and rested awhile.
A quick-eyed, light-haired, slight-built woman came in when Jane
had gone. 'Are you Miss Chickerel?' she said to Picotee.
'Yes,' said Picotee, guessing that this was Menlove, and fearing her
a little.
 'Jane tells me that you have come to visit your father, and would
like to look at the company going to dinner. Well, they are not much
to see, you know; but such as they are you are welcome to the sight
of. Come along with me.'
'I think I would rather wait for father, if you will excuse me,
please.'
'Your father is busy now; it is no use for you to think of saying
anything to him.'
Picotee followed her guide up a back staircase to the height of
several flights, and then, crossing a landing, they descended to the
upper part of the front stairs.
'Now look over the balustrade, and you will see them all in a
minute,' said Mrs. Menlove. 'O, you need not be timid; you can look
out as far as you like. We are all independent here; no slavery for
us: it is not as it is in the country, where servants are considered to
be of different blood and bone from their employers, and to have no
eyes for anything but their work. Here they are coming.'
Picotee then had the pleasure of looking down upon a series of
human crowns-some black, some white, some strangely built upon,
some smooth and shining-descending the staircase in disordered
column and great discomfort, their owners trying to talk, but
breaking off in the midst of syllables to look to their footing. The
young girl's eyes had not drooped over the handrail more than a few
moments when she softly exclaimed, 'There she is, there she is!
How lovely she looks, does she not?'
'Who?' said Mrs. Menlove.
Picotee recollected herself, and hastily drew in her impulses. 'My
dear mistress,' she said blandly. 'That is she on Mr. Doncastle's arm.
And look, who is that funny old man the elderly lady is helping
downstairs?'
'He is our honoured guest, Lord Mountclere. Mrs. Doncastle will
have him all through the dinner, and after that he will devote himself
to Mrs. Petherwin, your "dear mistress." He keeps looking towards
her now, and no doubt thinks it a nuisance that she is not with him.
Well, it is useless to stay here. Come a little further-we'll follow
them.' Menlove began to lead the way downstairs, but Picotee held
back.
'Won't they see us?' she said.
'No. And if they do, it doesn't matter. Mrs. Doncastle would not
object in the least to the daughter of her respected head man being
accidentally seen in the hall.'
They descended to the bottom and stood in the hall. 'O, there's
father!' whispered Picotee, with childlike gladness, as Chickerel
became visible to her by the door. The butler nodded to his
daughter, and became again engrossed in his duties.
'I wish I could see her-my mistress-again,' said Picotee.
'You seem mightily concerned about your mistress,' said Menlove.
'Do you want to see if you have dressed her properly?'
'Yes, partly; and I like her, too. She is very kind to me.'
'You will have a chance of seeing her soon. When the door is
nicely open you can look in for a moment. I must leave you now for
a few minutes, but I will come again.'
Menlove departed, and Picotee stood waiting. She wondered how
Ethelberta was getting on, and whether she enjoyed herself as much
as it seemed her duty to do in such a superbly hospitable place.
Picotee then turned her attention to the hall, every article of
furniture therein appearing worthy of scrutiny to her unaccustomed
eyes. Here she walked and looked about for a long time till an
excellent opportunity offered itself of seeing how affairs progressed
in the dining-room.
Through the partly-opened door there became visible a sideboard
which first attracted her attention by its richness. It was, indeed, a
noticeable example of modern art-workmanship, in being
exceptionally large, with curious ebony mouldings at different
stages; and, while the heavy cupboard doors at the bottom were
enriched with inlays of paler wood, other panels were decorated with
tiles, as if the massive composition had been erected on the spot as
part of the solid building. However, it was on a space higher up that
Picotee's eyes and thoughts were fixed. In the great mirror above
the middle ledge she could see reflected the upper part of the
dining-room, and this suggested to her that she might see
Ethelberta and the other guests reflected in the same way by
standing on a chair, which, quick as thought, she did.
To Picotee's dazed young vision her beautiful sister appeared as
the chief figure of a glorious pleasure-parliament of both sexes,
surrounded by whole regiments of candles grouped here and there
about the room. She and her companions were seated before a large
flowerbed, or small hanging garden, fixed at about the level of the
elbow, the attention of all being concentrated rather upon the
uninteresting margin of the bed, and upon each other, than on the
beautiful natural objects growing in the middle, as it seemed to
Picotee. In the ripple of conversation Ethelberta's clear voice could
occasionally be heard, and her young sister could see that her eyes
were bright, and her face beaming, as if divers social wants and
looming penuriousness had never been within her experience. Mr.
Doncastle was quite absorbed in what she was saying. So was the
queer old man whom Menlove had called Lord Mountclere.
'The dashing widow looks very well, does she not?' said a person
at Picotee's elbow.
It was her conductor Menlove, now returned again, whom Picotee
had quite forgotten.
'She will do some damage here to-night you will find,' continued
Menlove. 'How long have you been with her?'
'O, a long time-I mean rather a short time,' stammered Picotee.
'I know her well enough. I was her maid once, or rather her
mother-in-law's, but that was long before you knew her. I did not by
any means find her so lovable as you seem to think her when I had
to do with her at close quarters. An awful flirt-awful. Don't you find
her so?'
'I don't know.'
'If you don't yet you will know. But come down from your perch-
the dining-room door will not be open again for some time-and I will
show you about the rooms upstairs. This is a larger house than Mrs.
Petherwin's, as you see. Just come and look at the drawing-rooms.'
Wishing much to get rid of Menlove, yet fearing to offend her,
Picotee followed upstairs. Dinner was almost over by this time, and
when they entered the front drawing-room a young man-servant and
maid were there rekindling the lights.
'Now let's have a game of cat-and-mice,' said the maid-servant
cheerily. 'There's plenty of time before they come up.'
'Agreed,' said Menlove promptly. 'You will play, will you not, Miss
Chickerel?'
'No, indeed,' said Picotee, aghast.
'Never mind, then; you look on.'
Away then ran the housemaid and Menlove, and the young
footman started at their heels. Round the room, over the furniture,
under the furniture, through the furniture, out of one window, along
the balcony, in at another window, again round the room-so they
glided with the swiftness of swallows and the noiselessness of
ghosts.
Then the housemaid drew a jew's-harp from her pocket, and
struck up a lively waltz sotto voce. The footman seized Menlove,
who appeared nothing loth, and began spinning gently round the
room with her, to the time of the fascinating measure

'Which fashion hails, from countesses to queens,

And maids and valets dance behind the scenes.'

Picotee, who had been accustomed to unceiled country cottages

all her life, wherein the scamper of a mouse is heard distinctly from
floor to floor, exclaimed in a terrified whisper, at viewing all this,
'They'll hear you underneath, they'll hear you, and we shall all be
ruined!'
'Not at all,' came from the cautious dancers. 'These are some of
the best built houses in London-double floors, filled in with material
that will deaden any row you like to make, and we make none. But
come and have a turn yourself, Miss Chickerel.'
 The young man relinquished Menlove, and on the spur of the
moment seized Picotee. Picotee flounced away from him in
indignation, backing into a corner with ruffled feathers, like a pullet
trying to appear a hen.
'How dare you touch me!' she said, with rounded eyes. 'I'll tell
somebody downstairs of you, who'll soon see about it!'
'What a baby; she'll tell her father.'
'No I shan't; somebody you are all afraid of, that's who I'll tell.'
'Nonsense,' said Menlove; 'he meant no harm.'
Playtime was now getting short, and further antics being
dangerous on that account, the performers retired again downstairs,
Picotee of necessity following. Her nerves were screwed up to the
highest pitch of uneasiness by the grotesque habits of these men
and maids, who were quite unlike the country servants she had
known, and resembled nothing so much as pixies, elves, or gnomes,
peeping up upon human beings from their shady haunts
underground, sometimes for good, sometimes for ill-sometimes
doing heavy work, sometimes none; teasing and worrying with
impish laughter half suppressed, and vanishing directly mortal eyes
were bent on them. Separate and distinct from overt existence
under the sun, this life could hardly be without its distinctive
pleasures, all of them being more or less pervaded by thrills and
titillations from games of hazard, and the perpetual risk of
sensational surprises.
Long before this time Picotee had begun to be anxious to get
home again, but Menlove seemed particularly to desire her company,
and pressed her to sit awhile, telling her young friend, by way of
entertainment, of various extraordinary love adventures in which she
had figured as heroine when travelling on the Continent. These
stories had one and all a remarkable likeness in a certain point-
Menlove was always unwilling to love the adorer, and the adorer was
always unwilling to live afterwards on account of it.
'Ha-ha-ha!' in men's voices was heard from the distant dining-
room as the two women went on talking.
 'And then,' continued Menlove, 'there was that duel I was the
cause of between the courier and the French valet. Dear me, what a
trouble that was; yet I could do nothing to prevent it. This courier
was a very handsome man-they are handsome sometimes.'
'Yes, they are. My aunt married one.'
'Did she? Where do they live?'
'They keep an hotel at Rouen,' murmured Picotee, in doubt
whether this should have been told or not.
'Well, he used to follow me to the English Church every Sunday
regularly, and I was so determined not to give my hand where my
heart could never be, that I slipped out at the other door while he
stood expecting me by the one I entered. Here I met M. Pierre,
when, as ill luck would have it, the other came round the corner, and
seeing me talking to the valet, he challenged him at once.'
'Ha-ha-ha!' was heard again afar.
'Did they fight?' said Picotee.
'Yes, I believe they did. We left Nice the next day; but I heard
some time after of a duel not many miles off, and although I could
not get hold of the names, I make no doubt it was between those
two gentlemen. I never knew which of them fell; poor fellow,
whichever it was.'
'Ha-ha-ha-ha-ha-ha!' came from the dining-room.
'Whatever are those boozy men laughing at, I wonder?' said
Menlove. 'They are always so noisy when the ladies have gone
upstairs. Upon my soul, I'll run up and find out.'
'No, no, don't,' entreated Picotee, putting her hand on her
entertainer's arm. 'It seems wrong; it is no concern of ours.'
'Wrong be hanged-anything on an impulse,' said Mrs. Menlove,
skipping across the room and out of the door, which stood open, as
did others in the house, the evening being sultry and oppressive.
Picotee waited in her seat until it occurred to her that she could
escape the lady's-maid by going off into her father's pantry in her
Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.

Let us accompany you on the journey of exploring knowledge and

personal growth!

textbookfull.com